<%
from invirt.config import structs as cfg
hostname = cfg.web.hostname
errmail  = cfg.web.errormail
tracuri  = cfg.trac.uri
%>
Listen 442
Listen 446

<%def name="invirt_webinterface()">
	DocumentRoot /var/www/invirt-web
	<Directory /var/www/invirt-web>
		Options Indexes FollowSymLinks MultiViews ExecCGI
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
	<Location />
${caller.body()}
	</Location>

	RewriteEngine On
	RewriteRule ^/favicon.ico - [L]
	RewriteRule ^/static(.*) - [L]
	RewriteRule ^/overlord/static(.*) /static/$1 [L]
	RewriteRule ^/admin/static(.*) /static/$1 [L]
	RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
	RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]

	RewriteLog /var/log/apache2/rewrite.log
	RewriteLogLevel 0 

	ErrorLog /var/log/apache2/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog /var/log/apache2/ssl_access.log combined
	ServerSignature On

	SSLEngine on

	SSLCertificateFile ssl/server.crt
	SSLCertificateChainFile ssl/server.crt
	SSLCertificateKeyFile ssl/server.key
	
	SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
	SSLVerifyDepth 10

	SSLOptions +StdEnvVars
        SSLProtocol all -SSLv2
        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
	
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

	Redirect /wiki ${tracuri}	
</%def>
<VirtualHost *:443>
	ServerAdmin ${errmail}
	ServerName ${hostname}:443
	<%call expr="invirt_webinterface()">
		Require valid-user
		AuthType SSLCert
		AuthSSLCertVar SSL_CLIENT_S_DN_Email
		AuthSSLCertStripSuffix "@MIT.EDU"
	</%call>
	SSLVerifyClient require
</VirtualHost>
<VirtualHost *:442>
	ServerAdmin ${errmail}
	ServerName ${hostname}:442
	<%call expr="invirt_webinterface()">
		Require valid-user
		AuthType Kerberos
		KrbMethodNegotiate on
		KrbMethodK5Passwd off
		KrbAuthoritative off
		KrbAuthRealms ${cfg.kerberos.realm}
		Krb5Keytab /etc/invirt/keytab
		KrbSaveCredentials off
	</%call>
	SSLVerifyClient optional
</VirtualHost>

<VirtualHost *:446>
	ServerAdmin ${errmail}
	ServerName ${hostname}:446
	
	DocumentRoot /var/www/invirt-web
	<Directory />
		Options Indexes FollowSymLinks MultiViews ExecCGI
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog /var/log/apache2/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog /var/log/apache2/ssl_nocert_access.log combined
	ServerSignature On

	SSLEngine on

	SSLCertificateFile ssl/server.crt
	SSLCertificateChainFile ssl/server.crt
	SSLCertificateKeyFile ssl/server.key
	
	SSLVerifyClient none

	SSLOptions +StdEnvVars
        SSLProtocol all -SSLv2
        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
	
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0	
</VirtualHost>